Troubleshooting Q&A - December 22, 2004
Make a Video Connection ... But Be Careful
Video conferencing lets you stay in face-to-face contact with far-away friends, but getting it to function means fussing with your firewall. We offer some advice for getting Microsoft's NetMeeting to work over the Internet, and then offer some caveats and some alternatives.
By Ron Pacchiano
Q. A good friend of mine recently moved away, but we still talk quite a bit. To help make the distance seem not so far, we thought it would be cool to try video conferencing. After all, we both have a high-speed cable modem and access to video conference software via Microsoft's NetMeeting.
I did some research and came across an article that indicated that in order to get NetMeeting to work over the Internet I would need to open up a series of ports on my firewall. My friend and I both implemented the updates to our systems, but for some reason NetMeeting is unable to establish a connection. We've double checked all of our settings and everything appears to be right, yet we just can't seem to get this application to function. The funny thing is that I actually have some experience with NetMeeting. The company I work for uses it during conferences with our West Coast office and we've never had a problem with it. Is there anything you can think of that might help us to resolve this issue? We are both using D-Link DI-704 routers and NetMeeting version 3.01. Thanks for all of your help.
A. I don't know exactly what article you read, but I can all but guarantee you that the reason you're still having problems with Microsoft NetMeeting is simply because you didn't open all of the ports the application needs in order to establish a connection. Don't feel bad, though. I have yet to meet someone who has been able to get NetMeeting to function reliably and consistently outside of a LAN. Those that do insist on using NetMeeting have resolved themselves to the fact that they need to make certain compromises if they insist on using it. And like most compromises, this one has its drawbacks. Before we delve into that, let's take a closer look at the cause of our affliction.
In order to establish a connection over the Internet, NetMeeting requires access to several IP ports to communicate with other meeting participants. If you use a firewall to connect to the Internet, the firewall must be configured so that the ports used by NetMeeting are not blocked. However, NetMeeting requires access to more ports then you could realistically or safely open. According to Microsoft, in order for NetMeeting to establish outbound connections through a firewall, the firewall must be configured to pass packets through primary TCP connections on the following ports:
OK, that's easy enough. However, we're not done yet. NetMeeting also requires you to open up pass-through secondary User Datagram Protocol (UDP) connections on dynamically assigned ports 1024-65535. These are used specifically for H.323 call control (TCP) and H.323 streaming.
That's practically the ENTIRE port range! If you were to do that, there would be no reason for you to even own a firewall. This is the primary reason why NetMeeting is used typically used only in large LAN environments because there is no firewall to contend with. This is how it works, the H.323 call setup protocol (over port 1720) dynamically negotiates a TCP port for use by the H.323 call control protocol. Also, both the audio call control protocol (over port 1731) and the H.323 call setup protocol (over port 1720) dynamically negotiate UDP ports for use by the H.323 streaming protocol, called the real time protocol (RTP). In NetMeeting, two ports are determined on each side of the firewall for audio and video streaming. These dynamically negotiated ports are selected arbitrarily from all ports that can be assigned dynamically.
Since you're trying to establish a connection based on an IP address, this next section doesn't really apply to you. However, if you were trying to establish a connection using NetMeeting's directory services then you'd need access to either port 389 or port 522, depending on the type of server you are using. Internet Locator Servers (ILSs), which support the lightweight directory access protocol (LDAP) for NetMeeting 2.0 or later, require port 389. User Location Servers (ULSs), developed for NetMeeting 1.0, require port 522.
Now let's discuss those compromises. Since it's not possible to open the continuous range of ports from 1024-65535 within the D-Link router you have (nor would you want to if you could), the only available option for you would be to assign your PC to the router's DMZ. By placing your PC in the DMZ, ALL of the ports to your computer will be exposed to potential threats and attacks. This would be the same exposure you would face as if you connected your Internet connection directly to your PC. Needless to say, this is not a very good option and if you decided to do it, be sure to remove your PC from the DMZ immediately after you've finished your NetMeeting session.
For detailed instructions on how to go about enabling your DMZ option on your D-Link DI-704 router visit D-Link.
However, if you plan on having these video conferences on a consistent basis, then you might consider looking into safer, alterative applications with less stringent port requirements. On the software side, I know that AOL has built-in video conference capabilities now (even though I've never used them) and I've heard that A.V.M. Software's PalTalk 7.0 application is good. There are dozens of other video conferencing applications currently available and almost all of them should be easier to get working than NetMeeting is.
To be honest, I was never very impressed with the quality of the software-based video conferencing packages I've seen. So if it was me, I would look into a hardware based solution; something like the D-Link DVC-1000 i2eye VideoPhone. Since then they've gotten a lot cheaper and have even introduced a wireless version, the DVC-1100. The DVC-1000 connects to your TV and has a built-in speaker phone for hands-free conversations, but you can even plug in a regular telephone handset for better audio quality. It functions independent from your PC and is far easier to install and configure then most software-based solutions. Not to mention it is significantly less risky to place the DVC-1000 into your router's DMZ then your PC. However, the DVC-1000 actually has clear port usage requirements, so getting it to operate correctly with your firewall should be easy enough. While not cheap, the DVC-1000 is a fantastic product that does exactly what it's suppose to do simply and with a minimum of hassle.
Lucky for you though, its Christmas time!! So I wouldn't worry about the price… Just ask Santa and promise to be a good boy next year! Good Luck to both of you and Happy Holidays!
I hope you find this helpful. Good Luck!
Use our feedback form to submit your questions on home or SOHO networking issues. We cannot guarantee to answer every question we get, but we’ll consider them all.
|Home | Networking | Backgrounders | Internet Sharing | Security | HowTo | Troubleshooting | Reviews | News | About | Jobs | Tools | Forums|